Gentoo Archives: gentoo-dev

From: "Michał Górny" <mgorny@g.o>
To: gentoo-dev <gentoo-dev@l.g.o>
Subject: [gentoo-dev] [RFC] Using HTTPS mirrors only in thirdpartymirrors (when possible)
Date: Sun, 29 Sep 2019 09:56:31
1 Hi,
3 Historically, the majority of our 'thirdpartymirrors' use HTTP or FTP.
4 I've been putting some effort into switching to HTTPS whenever possible
5 (i.e. when the server's running HTTPS and has a valid certificate).
6 However, the way things work people still have a pretty good chance of
7 hitting HTTP or FTP mirror instead.
9 Hence, I'd like to propose that whenever thirdpartymirrors contain HTTPS
10 mirrors for the group in question, we remove all HTTP and FTP
11 alternatives. This way, if mirror:// is actually utilized, people won't
12 unnecessarily use unsecured connections.
14 I believe this falls in line with the generic policy of preferring HTTPS
15 over HTTP/FTP URIs.
17 Why is it useful? In my opinion, the most important point is that it
18 stops third parties from sniffing what the Gentoo hosts are fetching
19 and using this information against them.
21 WDYT?
23 --
24 Best regards,
25 Michał Górny


File name MIME type
signature.asc application/pgp-signature